Return-Path: <commits-return-42171-archive-asf-public=cust-asf.ponee.io@cxf.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id CD4FA2009F8
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Fri,  3 Jun 2016 15:10:31 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id CBE8A160A25; Fri,  3 Jun 2016 13:10:31 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 7DA48160A48
	for <archive-asf-public@cust-asf.ponee.io>; Fri,  3 Jun 2016 15:10:30 +0200 (CEST)
Received: (qmail 6726 invoked by uid 500); 3 Jun 2016 13:10:24 -0000
Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@cxf.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@cxf.apache.org>
List-Post: <mailto:commits@cxf.apache.org>
List-Id: <commits.cxf.apache.org>
Reply-To: dev@cxf.apache.org
Delivered-To: mailing list commits@cxf.apache.org
Received: (qmail 6534 invoked by uid 99); 3 Jun 2016 13:10:24 -0000
Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 03 Jun 2016 13:10:24 +0000
Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33)
	id 74129E9E9C; Fri,  3 Jun 2016 13:10:24 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: coheigea@apache.org
To: commits@cxf.apache.org
Date: Fri, 03 Jun 2016 13:10:27 -0000
Message-Id: <099340e4586f4978a31b16e40883fdeb@git.apache.org>
In-Reply-To: <a247219cbe564e9ab00bb8cd1b263609@git.apache.org>
References: <a247219cbe564e9ab00bb8cd1b263609@git.apache.org>
X-Mailer: ASF-Git Admin Mailer
Subject: [5/6] cxf-fediz git commit: Adding some audience restriction tests
archived-at: Fri, 03 Jun 2016 13:10:31 -0000

Adding some audience restriction tests


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/ad726f96
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/ad726f96
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/ad726f96

Branch: refs/heads/1.2.x-fixes
Commit: ad726f96e916268a09a3f468f242368b531721c0
Parents: f6307d1
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Fri Jun 3 13:59:23 2016 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Fri Jun 3 14:05:49 2016 +0100

----------------------------------------------------------------------
 .../cxf/fediz/core/config/FedizContext.java     |   2 +-
 .../cxf/fediz/core/handler/SigninHandler.java   |   7 +-
 .../federation/AudienceRestrictionTest.java     | 413 +++++++++++++++++++
 .../core/federation/TestSigninHandler.java      |  88 ++++
 .../test/resources/fediz_test_config_aud.xml    | 111 +++++
 5 files changed, 618 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ad726f96/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FedizContext.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FedizContext.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FedizContext.java
index 2c07d61..4fc5b61 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FedizContext.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FedizContext.java
@@ -84,7 +84,7 @@ public class FedizContext implements Closeable {
 
     public List<String> getAudienceUris() {
         if (config.getAudienceUris() == null) {
-            return new ArrayList<String>();
+            return Collections.emptyList();
         }
         return config.getAudienceUris().getAudienceItem();
     }

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ad726f96/plugins/core/src/main/java/org/apache/cxf/fediz/core/handler/SigninHandler.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/handler/SigninHandler.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/handler/SigninHandler.java
index 0b8e206..a214d9e 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/handler/SigninHandler.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/handler/SigninHandler.java
@@ -65,7 +65,10 @@ public class SigninHandler<T> implements RequestHandler<T> {
                 // process and validate the token
                 try {
                     FedizResponse federationResponse = processSigninRequest(responseToken, request, response);
-                    validateAudienceRestrictions(federationResponse.getAudience(), request.getRequestURL().toString());
+                    if (!validateAudienceRestrictions(federationResponse.getAudience(),
+                        request.getRequestURL().toString())) {
+                        return null;
+                    }
                     LOG.debug("RSTR validated successfully");
                     return createPrincipal(request, response, federationResponse);
                 } catch (ProcessingException e) {
@@ -104,7 +107,7 @@ public class SigninHandler<T> implements RequestHandler<T> {
 
     protected boolean validateAudienceRestrictions(String audience, String requestURL) {
         // Validate the AudienceRestriction in Security Token (e.g. SAML)
-     // validate against the configured list of audienceURIs
+        // validate against the configured list of audienceURIs
         List<String> audienceURIs = fedizContext.getAudienceUris();
         boolean validAudience = audienceURIs.isEmpty() && audience == null;
         if (!validAudience && audience != null) {

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ad726f96/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/AudienceRestrictionTest.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/AudienceRestrictionTest.java b/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/AudienceRestrictionTest.java
new file mode 100644
index 0000000..bf55170
--- /dev/null
+++ b/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/AudienceRestrictionTest.java
@@ -0,0 +1,413 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.fediz.core.federation;
+
+import java.io.File;
+import java.io.IOException;
+import java.net.URL;
+import java.util.Collections;
+
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+import org.apache.cxf.fediz.common.STSUtil;
+import org.apache.cxf.fediz.common.SecurityTestUtil;
+import org.apache.cxf.fediz.core.FederationConstants;
+import org.apache.cxf.fediz.core.KeystoreCallbackHandler;
+import org.apache.cxf.fediz.core.SAML2CallbackHandler;
+import org.apache.cxf.fediz.core.config.FedizConfigurator;
+import org.apache.cxf.fediz.core.config.FedizContext;
+import org.apache.wss4j.common.crypto.Crypto;
+import org.apache.wss4j.common.crypto.CryptoFactory;
+import org.apache.wss4j.common.ext.WSPasswordCallback;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.saml.SAMLCallback;
+import org.apache.wss4j.common.saml.SAMLUtil;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.common.saml.bean.AudienceRestrictionBean;
+import org.apache.wss4j.common.saml.bean.ConditionsBean;
+import org.apache.wss4j.common.saml.builder.SAML2Constants;
+import org.apache.wss4j.common.util.DOM2Writer;
+import org.apache.wss4j.common.util.XMLUtils;
+import org.easymock.EasyMock;
+import org.junit.AfterClass;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+
+/**
+ * Some tests for audience restriction
+ */
+public class AudienceRestrictionTest {
+    public static final String SAMPLE_MULTIPLE_RSTR_COLL_MSG = 
+        "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
+        + "<RequestSecurityTokenResponseCollection "
+        +   "xmlns=\"http://docs.oasis-open.org/ws-sx/ws-trust/200512\"> "
+        +   "<RequestSecurityTokenResponse>"
+        +     "<RequestedSecurityToken>"
+        +     "</RequestedSecurityToken>"
+        +   "</RequestSecurityTokenResponse>"
+        +   "<RequestSecurityTokenResponse>"
+        +     "<RequestedSecurityToken>"
+        +     "</RequestedSecurityToken>"
+        +   "</RequestSecurityTokenResponse>"
+        + "</RequestSecurityTokenResponseCollection>";
+    
+    static final String TEST_USER = "alice";
+    static final String TEST_RSTR_ISSUER = "FedizSTSIssuer";
+    static final String TEST_AUDIENCE = "https://localhost/fedizhelloworld";
+    static final String TEST_REQUEST_URL = "https://localhost/fedizhelloworld/";
+    static final String TEST_REQUEST_URI = "/fedizhelloworld";
+    
+    private static final String CONFIG_FILE = "fediz_test_config_aud.xml";
+    
+    private static Crypto crypto;
+    private static CallbackHandler cbPasswordHandler;
+    private static FedizConfigurator configurator;
+    
+    
+    @BeforeClass
+    public static void init() {
+        try {
+            crypto = CryptoFactory.getInstance("signature.properties");
+            cbPasswordHandler = new KeystoreCallbackHandler();
+            getFederationConfigurator();
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+        Assert.assertNotNull(configurator);
+
+    }
+    
+    @AfterClass
+    public static void cleanup() {
+        SecurityTestUtil.cleanup();
+    }
+    
+
+    private static FedizConfigurator getFederationConfigurator() {
+        if (configurator != null) {
+            return configurator;
+        }
+        try {
+            configurator = new FedizConfigurator();
+            final URL resource = Thread.currentThread().getContextClassLoader()
+                    .getResource(CONFIG_FILE);
+            File f = new File(resource.toURI());
+            configurator.loadConfig(f);
+            return configurator;
+        } catch (Exception e) {
+            e.printStackTrace();
+            return null;
+        }
+    }
+
+    @org.junit.Test
+    public void validateAudienceThatIsRequired() throws Exception {
+        SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+        callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
+        callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
+        callbackHandler.setIssuer(TEST_RSTR_ISSUER);
+        callbackHandler.setSubjectName(TEST_USER);
+        ConditionsBean cp = new ConditionsBean();
+        AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
+        audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
+        cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
+        callbackHandler.setConditions(cp);
+        
+        SAMLCallback samlCallback = new SAMLCallback();
+        SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
+        SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
+        String rstr = createSamlToken(assertion, "mystskey", true);
+        
+        configurator = null;
+        FedizContext config = getFederationConfigurator().getFedizContext("AUD1");
+        
+        // Mock up the servet request/response
+        HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class);
+        EasyMock.expect(req.getParameter(FederationConstants.PARAM_HOME_REALM)).andReturn(null);
+        EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL));
+        EasyMock.expect(req.getContextPath()).andReturn(TEST_REQUEST_URI);
+        EasyMock.expect(req.getMethod()).andReturn("POST");
+        EasyMock.expect(req.getParameter(FederationConstants.PARAM_RESULT)).andReturn(rstr);
+        EasyMock.expect(req.getParameter(FederationConstants.PARAM_ACTION))
+            .andReturn(FederationConstants.ACTION_SIGNIN);
+        String relayState = "asfnaosif123123";
+        EasyMock.expect(req.getParameter("RelayState")).andReturn(relayState);
+        EasyMock.expect(req.getAttribute("javax.servlet.request.X509Certificate")).andReturn(null);
+        EasyMock.expect(req.getQueryString()).andReturn(null);
+        EasyMock.replay(req);
+        
+        HttpServletResponse resp = EasyMock.createMock(HttpServletResponse.class);
+        EasyMock.replay(resp);
+        
+        // Now validate the request
+        TestSigninHandler signinHandler = new TestSigninHandler(config);
+        Assert.assertNotNull(signinHandler.handleRequest(req, resp));
+    }
+    
+    @org.junit.Test
+    public void validateAudienceThatIsRequiredAgainstMultipleAudiences() throws Exception {
+        SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+        callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
+        callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
+        callbackHandler.setIssuer(TEST_RSTR_ISSUER);
+        callbackHandler.setSubjectName(TEST_USER);
+        ConditionsBean cp = new ConditionsBean();
+        AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
+        audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
+        cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
+        callbackHandler.setConditions(cp);
+        
+        SAMLCallback samlCallback = new SAMLCallback();
+        SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
+        SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
+        String rstr = createSamlToken(assertion, "mystskey", true);
+        
+        configurator = null;
+        FedizContext config = getFederationConfigurator().getFedizContext("AUD2");
+        
+        // Mock up the servet request/response
+        HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class);
+        EasyMock.expect(req.getParameter(FederationConstants.PARAM_HOME_REALM)).andReturn(null);
+        EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL));
+        EasyMock.expect(req.getContextPath()).andReturn(TEST_REQUEST_URI);
+        EasyMock.expect(req.getMethod()).andReturn("POST");
+        EasyMock.expect(req.getParameter(FederationConstants.PARAM_RESULT)).andReturn(rstr);
+        EasyMock.expect(req.getParameter(FederationConstants.PARAM_ACTION))
+            .andReturn(FederationConstants.ACTION_SIGNIN);
+        String relayState = "asfnaosif123123";
+        EasyMock.expect(req.getParameter("RelayState")).andReturn(relayState);
+        EasyMock.expect(req.getAttribute("javax.servlet.request.X509Certificate")).andReturn(null);
+        EasyMock.expect(req.getQueryString()).andReturn(null);
+        EasyMock.replay(req);
+        
+        HttpServletResponse resp = EasyMock.createMock(HttpServletResponse.class);
+        EasyMock.replay(resp);
+        
+        // Now validate the request
+        TestSigninHandler signinHandler = new TestSigninHandler(config);
+        Assert.assertNotNull(signinHandler.handleRequest(req, resp));
+    }
+    
+    @org.junit.Test
+    public void validateBadAudienceThatIsRequired() throws Exception {
+        SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+        callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
+        callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
+        callbackHandler.setIssuer(TEST_RSTR_ISSUER);
+        callbackHandler.setSubjectName(TEST_USER);
+        ConditionsBean cp = new ConditionsBean();
+        AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
+        audienceRestriction.getAudienceURIs().add("https://localhost/badfedizhelloworld");
+        cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
+        callbackHandler.setConditions(cp);
+        
+        SAMLCallback samlCallback = new SAMLCallback();
+        SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
+        SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
+        String rstr = createSamlToken(assertion, "mystskey", true);
+        
+        configurator = null;
+        FedizContext config = getFederationConfigurator().getFedizContext("AUD1");
+        
+        // Mock up the servet request/response
+        HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class);
+        EasyMock.expect(req.getParameter(FederationConstants.PARAM_HOME_REALM)).andReturn(null);
+        EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL));
+        EasyMock.expect(req.getContextPath()).andReturn(TEST_REQUEST_URI);
+        EasyMock.expect(req.getMethod()).andReturn("POST");
+        EasyMock.expect(req.getParameter(FederationConstants.PARAM_RESULT)).andReturn(rstr);
+        EasyMock.expect(req.getParameter(FederationConstants.PARAM_ACTION))
+            .andReturn(FederationConstants.ACTION_SIGNIN);
+        String relayState = "asfnaosif123123";
+        EasyMock.expect(req.getParameter("RelayState")).andReturn(relayState);
+        EasyMock.expect(req.getAttribute("javax.servlet.request.X509Certificate")).andReturn(null);
+        EasyMock.expect(req.getQueryString()).andReturn(null);
+        EasyMock.replay(req);
+        
+        HttpServletResponse resp = EasyMock.createMock(HttpServletResponse.class);
+        EasyMock.replay(resp);
+        
+        // Now validate the request
+        TestSigninHandler signinHandler = new TestSigninHandler(config);
+        Assert.assertNull(signinHandler.handleRequest(req, resp));
+    }
+    
+    @org.junit.Test
+    public void validateNoAudienceThatIsRequired() throws Exception {
+        SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+        callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
+        callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
+        callbackHandler.setIssuer(TEST_RSTR_ISSUER);
+        callbackHandler.setSubjectName(TEST_USER);
+        ConditionsBean cp = new ConditionsBean();
+        callbackHandler.setConditions(cp);
+        
+        SAMLCallback samlCallback = new SAMLCallback();
+        SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
+        SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
+        String rstr = createSamlToken(assertion, "mystskey", true);
+        
+        configurator = null;
+        FedizContext config = getFederationConfigurator().getFedizContext("AUD1");
+        
+        // Mock up the servet request/response
+        HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class);
+        EasyMock.expect(req.getParameter(FederationConstants.PARAM_HOME_REALM)).andReturn(null);
+        EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL));
+        EasyMock.expect(req.getContextPath()).andReturn(TEST_REQUEST_URI);
+        EasyMock.expect(req.getMethod()).andReturn("POST");
+        EasyMock.expect(req.getParameter(FederationConstants.PARAM_RESULT)).andReturn(rstr);
+        EasyMock.expect(req.getParameter(FederationConstants.PARAM_ACTION))
+            .andReturn(FederationConstants.ACTION_SIGNIN);
+        String relayState = "asfnaosif123123";
+        EasyMock.expect(req.getParameter("RelayState")).andReturn(relayState);
+        EasyMock.expect(req.getAttribute("javax.servlet.request.X509Certificate")).andReturn(null);
+        EasyMock.expect(req.getQueryString()).andReturn(null);
+        EasyMock.replay(req);
+        
+        HttpServletResponse resp = EasyMock.createMock(HttpServletResponse.class);
+        EasyMock.replay(resp);
+        
+        // Now validate the request
+        TestSigninHandler signinHandler = new TestSigninHandler(config);
+        Assert.assertNull(signinHandler.handleRequest(req, resp));
+    }
+    
+    @org.junit.Test
+    public void validateNoAudienceThatIsNotRequired() throws Exception {
+        SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+        callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
+        callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
+        callbackHandler.setIssuer(TEST_RSTR_ISSUER);
+        callbackHandler.setSubjectName(TEST_USER);
+        ConditionsBean cp = new ConditionsBean();
+        callbackHandler.setConditions(cp);
+        
+        SAMLCallback samlCallback = new SAMLCallback();
+        SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
+        SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
+        String rstr = createSamlToken(assertion, "mystskey", true);
+        
+        configurator = null;
+        FedizContext config = getFederationConfigurator().getFedizContext("NOAUD");
+        
+        // Mock up the servet request/response
+        HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class);
+        EasyMock.expect(req.getParameter(FederationConstants.PARAM_HOME_REALM)).andReturn(null);
+        EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL));
+        EasyMock.expect(req.getContextPath()).andReturn(TEST_REQUEST_URI);
+        EasyMock.expect(req.getMethod()).andReturn("POST");
+        EasyMock.expect(req.getParameter(FederationConstants.PARAM_RESULT)).andReturn(rstr);
+        EasyMock.expect(req.getParameter(FederationConstants.PARAM_ACTION))
+            .andReturn(FederationConstants.ACTION_SIGNIN);
+        String relayState = "asfnaosif123123";
+        EasyMock.expect(req.getParameter("RelayState")).andReturn(relayState);
+        EasyMock.expect(req.getAttribute("javax.servlet.request.X509Certificate")).andReturn(null);
+        EasyMock.expect(req.getQueryString()).andReturn(null);
+        EasyMock.replay(req);
+        
+        HttpServletResponse resp = EasyMock.createMock(HttpServletResponse.class);
+        EasyMock.replay(resp);
+        
+        // Now validate the request
+        TestSigninHandler signinHandler = new TestSigninHandler(config);
+        Assert.assertNotNull(signinHandler.handleRequest(req, resp));
+    }
+    
+    @org.junit.Test
+    public void validateAudienceThatIsNotRequired() throws Exception {
+        SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+        callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
+        callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
+        callbackHandler.setIssuer(TEST_RSTR_ISSUER);
+        callbackHandler.setSubjectName(TEST_USER);
+        ConditionsBean cp = new ConditionsBean();
+        AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
+        audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
+        cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
+        callbackHandler.setConditions(cp);
+        
+        SAMLCallback samlCallback = new SAMLCallback();
+        SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
+        SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
+        String rstr = createSamlToken(assertion, "mystskey", true);
+        
+        configurator = null;
+        FedizContext config = getFederationConfigurator().getFedizContext("NOAUD");
+        
+        // Mock up the servet request/response
+        HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class);
+        EasyMock.expect(req.getParameter(FederationConstants.PARAM_HOME_REALM)).andReturn(null);
+        EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL));
+        EasyMock.expect(req.getContextPath()).andReturn(TEST_REQUEST_URI);
+        EasyMock.expect(req.getMethod()).andReturn("POST");
+        EasyMock.expect(req.getParameter(FederationConstants.PARAM_RESULT)).andReturn(rstr);
+        EasyMock.expect(req.getParameter(FederationConstants.PARAM_ACTION))
+            .andReturn(FederationConstants.ACTION_SIGNIN);
+        String relayState = "asfnaosif123123";
+        EasyMock.expect(req.getParameter("RelayState")).andReturn(relayState);
+        EasyMock.expect(req.getAttribute("javax.servlet.request.X509Certificate")).andReturn(null);
+        EasyMock.expect(req.getQueryString()).andReturn(null);
+        EasyMock.replay(req);
+        
+        HttpServletResponse resp = EasyMock.createMock(HttpServletResponse.class);
+        EasyMock.replay(resp);
+        
+        // Now validate the request
+        TestSigninHandler signinHandler = new TestSigninHandler(config);
+        Assert.assertNull(signinHandler.handleRequest(req, resp));
+    }
+    
+    private String createSamlToken(SamlAssertionWrapper assertion, String alias, boolean sign)
+        throws IOException, UnsupportedCallbackException, WSSecurityException, Exception {
+        return createSamlToken(assertion, alias, sign, STSUtil.SAMPLE_RSTR_COLL_MSG);
+    }
+    
+    private String createSamlToken(SamlAssertionWrapper assertion, String alias, boolean sign, String rstr)
+        throws IOException, UnsupportedCallbackException, WSSecurityException, Exception {
+        WSPasswordCallback[] cb = {
+            new WSPasswordCallback(alias, WSPasswordCallback.SIGNATURE)
+        };
+        cbPasswordHandler.handle(cb);
+        String password = cb[0].getPassword();
+
+        if (sign) {
+            assertion.signAssertion(alias, password, crypto, false);
+        }
+        Document doc = STSUtil.toSOAPPart(rstr);
+        Element token = assertion.toDOM(doc);
+
+        Element e = XMLUtils.findElement(doc, "RequestedSecurityToken",
+                                                        FederationConstants.WS_TRUST_13_NS);
+        if (e == null) {
+            e = XMLUtils.findElement(doc, "RequestedSecurityToken",
+                                                    FederationConstants.WS_TRUST_2005_02_NS);
+        }
+        e.appendChild(token);
+        return DOM2Writer.nodeToString(doc);
+    }
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ad726f96/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/TestSigninHandler.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/TestSigninHandler.java b/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/TestSigninHandler.java
new file mode 100644
index 0000000..bdf68d9
--- /dev/null
+++ b/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/TestSigninHandler.java
@@ -0,0 +1,88 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.fediz.core.federation;
+
+import java.util.Collections;
+import java.util.List;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.w3c.dom.Element;
+
+import org.apache.cxf.fediz.core.Claim;
+import org.apache.cxf.fediz.core.ClaimCollection;
+import org.apache.cxf.fediz.core.FedizPrincipal;
+import org.apache.cxf.fediz.core.config.FedizContext;
+import org.apache.cxf.fediz.core.handler.SigninHandler;
+import org.apache.cxf.fediz.core.processor.FedizResponse;
+
+public class TestSigninHandler extends SigninHandler<FedizPrincipal> {
+        
+    public TestSigninHandler(FedizContext fedizContext) {
+        super(fedizContext);
+    }
+
+    @Override
+    protected FedizPrincipal createPrincipal(HttpServletRequest request, HttpServletResponse response,
+        FedizResponse wfRes) {
+
+        List<String> roles = wfRes.getRoles();
+        if (roles == null || roles.size() == 0) {
+            roles = Collections.singletonList("Authenticated");
+        }
+
+        // proceed creating the JAAS Subject
+        FedizPrincipal principal = new FederationPrincipalImpl(wfRes.getUsername(), roles,
+                                                               wfRes.getClaims(), wfRes.getToken());
+
+        return principal;
+    }
+    
+    private static class FederationPrincipalImpl implements FedizPrincipal {
+
+        protected ClaimCollection claims;
+        protected Element loginToken;
+        private String username;
+        
+        FederationPrincipalImpl(String username, List<String> roles,
+                List<Claim> claims, Element loginToken) {
+            this.claims = new ClaimCollection(claims);
+            this.loginToken = loginToken;
+            this.username = username;
+        }
+        
+        public ClaimCollection getClaims() {
+            return this.claims;
+        }
+        
+        @Override
+        public Element getLoginToken() {
+            return loginToken;
+        }
+
+        @Override
+        public String getName() {
+            return username;
+        }
+
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ad726f96/plugins/core/src/test/resources/fediz_test_config_aud.xml
----------------------------------------------------------------------
diff --git a/plugins/core/src/test/resources/fediz_test_config_aud.xml b/plugins/core/src/test/resources/fediz_test_config_aud.xml
new file mode 100644
index 0000000..148fe47
--- /dev/null
+++ b/plugins/core/src/test/resources/fediz_test_config_aud.xml
@@ -0,0 +1,111 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+ 
+  http://www.apache.org/licenses/LICENSE-2.0
+ 
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<FedizConfig>
+	<contextConfig name="AUD1">
+		<audienceUris>
+			<audienceItem>https://localhost/fedizhelloworld</audienceItem>
+		</audienceUris>
+		<certificateStores>
+			<trustManager>
+				<keyStore file="ststrust.jks" password="storepass"
+					type="JKS" />
+			</trustManager>		
+		</certificateStores>
+		<trustedIssuers>
+			<issuer certificateValidation="PeerTrust" />
+		</trustedIssuers>
+
+		<maximumClockSkew>1000</maximumClockSkew>
+		<protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+			xsi:type="federationProtocolType" version="1.2">
+			<realm>target realm</realm>
+			<issuer>http://url_to_the_issuer</issuer>
+			<roleDelimiter>;</roleDelimiter>
+			<roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
+			<authenticationType value="some auth type" type="String" />
+			<freshness>10000</freshness>
+			<reply>reply value</reply>
+			<request>REQUEST</request>
+			<claimTypesRequested>
+				<claimType type="a particular claim type" optional="true" />
+			</claimTypesRequested>
+		</protocol>
+	</contextConfig>
+	
+	<contextConfig name="AUD2">
+		<audienceUris>
+		    <audienceItem>https://localhost/fediz2helloworld</audienceItem>
+			<audienceItem>https://localhost/fedizhelloworld</audienceItem>
+		</audienceUris>
+		<certificateStores>
+			<trustManager>
+				<keyStore file="ststrust.jks" password="storepass"
+					type="JKS" />
+			</trustManager>		
+		</certificateStores>
+		<trustedIssuers>
+			<issuer certificateValidation="PeerTrust" />
+		</trustedIssuers>
+
+		<maximumClockSkew>1000</maximumClockSkew>
+		<protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+			xsi:type="federationProtocolType" version="1.2">
+			<realm>target realm</realm>
+			<issuer>http://url_to_the_issuer</issuer>
+			<roleDelimiter>;</roleDelimiter>
+			<roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
+			<authenticationType value="some auth type" type="String" />
+			<freshness>10000</freshness>
+			<reply>reply value</reply>
+			<request>REQUEST</request>
+			<claimTypesRequested>
+				<claimType type="a particular claim type" optional="true" />
+			</claimTypesRequested>
+		</protocol>
+	</contextConfig>
+	
+	<contextConfig name="NOAUD">
+		<certificateStores>
+			<trustManager>
+				<keyStore file="ststrust.jks" password="storepass"
+					type="JKS" />
+			</trustManager>		
+		</certificateStores>
+		<trustedIssuers>
+			<issuer certificateValidation="PeerTrust" />
+		</trustedIssuers>
+
+		<maximumClockSkew>1000</maximumClockSkew>
+		<protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+			xsi:type="federationProtocolType" version="1.2">
+			<realm>target realm</realm>
+			<issuer>http://url_to_the_issuer</issuer>
+			<roleDelimiter>;</roleDelimiter>
+			<roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
+			<authenticationType value="some auth type" type="String" />
+			<freshness>10000</freshness>
+			<reply>reply value</reply>
+			<request>REQUEST</request>
+			<claimTypesRequested>
+				<claimType type="a particular claim type" optional="true" />
+			</claimTypesRequested>
+		</protocol>
+	</contextConfig>
+</FedizConfig>